Do not assume keystone admin endpoint

keystone does not distinguish public and admin endpoints since
Train [1], so there is no need to use a separate endpoint for
keystone admin operations. admin endpoint still can be configured
but there is no functional difference anymore from other endpoints.
We do not need to require admin endpoint and can use an endpoint
specified by OPENSTACK_ENDPOINT_TYPE for all API operations.

This commit reverts commit f9bab3fe195eb13635aa70cb910d94df98d66cf3
as we no longer need the workaround.

[1] https://review.opendev.org/c/openstack/keystone/+/664246

Closes-Bug: #1950659
Change-Id: I2660fd2df8081e1d2d9c84626037f94bd9d137a5
This commit is contained in:
Akihiro Motoki 2022-03-25 14:08:17 +09:00
parent 0798bdacd3
commit 35a490f4ec
3 changed files with 15 additions and 11 deletions

View File

@ -24,11 +24,6 @@
- ^openstack_dashboard/.*/[^/]*\.spec\.js$
- ^horizon/static/.*/[^/]*\.spec\.js$
vars:
devstack_localrc:
# NOTE: workaround for bug 1950659
# Some horizon integration test start failing after devstack
# stop creating default keystone admin endpoint.
KEYSTONE_ADMIN_ENDPOINT: true
devstack_services:
horizon: true
tox_envlist: integration

View File

@ -157,12 +157,9 @@ def keystoneclient(request, admin=False):
if domain_token:
token_id = getattr(domain_token, 'auth_token', None)
if admin:
if not policy.check((("identity", "admin_required"),), request):
raise exceptions.NotAuthorized
endpoint_type = 'adminURL'
else:
endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE
if admin and not policy.check((("identity", "admin_required"),), request):
raise exceptions.NotAuthorized
endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE
# Take care of client connection caching/fetching a new client.
# Admin vs. non-admin clients are cached separately for token matching.

View File

@ -0,0 +1,12 @@
---
upgrade:
- |
Horizon no longer requires the keystone admin endpoint. keystone does
not distinguish public and admin endpoints and there is no functional
difference between public and admin endpoints. There is no need for
a separate endpoint for keystone admin operations, but horizon required
the keystone admin endpoint is configured previously. This requirement
no longer exists. An endpoint specified by ``OPENSTACK_ENDPOINT_TYPE``
setting is used for the keystone admin operations. You can drop
the admin endpoint for keystone (unless other services require it).
[:bug:`1950659`]